Apparatus and Method for Domain Name Resolution

ABSTRACT

An apparatus and method for enhancing the infrastructure of a network such as the Internet is disclosed. Multiple edge servers and edge caches are provided at the edge of the network so as to cover and monitor all points of presence. The edge servers selectively intercept domain name translation requests generated by downstream clients, coupled to the monitored points of presence, to subscribing Web servers and provide translations which either enhance content delivery services or redirect the requesting client to the edge cache to make its content requests. Further, network traffic monitoring is provided in order to detect malicious or otherwise unauthorized data transmissions.

REFERENCE TO RELATED APPLICATIONS

This application is a continuation under 37 C.F.R. §1.53(b) of U.S.patent application Ser. No. 11/259,160, filed Oct. 26, 2005 (AttorneyDocket No. 10736/07033BUS), now U.S. Pat. No. ______, the entiredisclosure of which is hereby incorporated by reference, which is acontinuation under 37 C.F.R. §1.53(b) of U.S. patent application Ser.No. 09/602,286, filed Jun. 23, 2000 (Attorney Docket No. 10736/5), nowU.S. Pat. No. 7,003,555, the entire disclosure of which is herebyincorporated by reference.

BACKGROUND

The Internet is growing by leaps and bounds. Everyday, more and moreusers log on to the Internet for the first time and these, and existingusers are finding more and more content being made available to them.Whether it be for shopping, checking stock prices or communicating withfriends, the Internet represents a universal medium for communicationsand commerce.

Unfortunately, the growing user base along with the growing contentprovider base is causing ever increasing congestion and strain on theinfrastructure, the network hardware and software plus thecommunications links linking it all together, which makes up theInternet. While the acronym “WWW” is defined as “World Wide Web”, manyusers of the Internet have come to refer to it as the “World Wide Wait.”

These problems are not limited to the Internet either. Many companiesprovide internal networks, known as intranets, which are essentiallyprivate Internets for use by their employees. These intranets can becomeoverloaded as well. Especially, when a company's intranet providesconnectivity to the Internet. In this situation, the intranet is notonly carrying internally generated traffic but also Internet trafficgenerated by the employees.

Furthermore, more and more malicious programmers are setting theresights on the Internet. These “hackers” spread virus programs or attemptto hack into Web sites in order to steal valuable information such ascredit card numbers. Further, there have been an increasing number ofDenial of Service attacks where a hacker infiltrates multiple innocentcomputers connected to the Internet and uses them, unwittingly, tobombard a particular Web site with an immense volume of traffic. Thisflood of traffic overwhelms the servers and literally shuts the Web sitedown.

Accordingly, there is a need for an enhanced Internet infrastructure tomore efficiently deliver content from providers to users and provideadditional network security and fault tolerance.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts an exemplary network for use with the preferredembodiments.

FIG. 2 depicts the operations of the Domain Name System of the exemplarynetwork of FIG. 1.

FIG. 3 depicts an exemplary content delivery system for use with theexemplary network of FIG. 1.

FIG. 4 depicts a content delivery system for use with the network ofFIG. 1 according to a first embodiment.

FIG. 4A depicts a block diagram of the edge server of FIG. 4.

FIG. 5 depicts a content delivery system for use with the network ofFIG. 1 according to a second embodiment.

FIG. 5A depicts a block diagram of the edge server of FIG. 5.

FIG. 6 depicts a content delivery system for use with the network ofFIG. 1 according to a third embodiment.

FIG. 6A depicts a block diagram of the edge server of FIG. 6.

DETAILED DESCRIPTION OF THE DRAWINGS AND PRESENTLY PREFERRED EMBODIMENTS

Referring now to the figures, and in particular, FIG. 1, there is shownan exemplary network 100 for use with the presently preferredembodiments. It is preferred that the network 100 be a publiclyaccessible network, and in particular, the Internet. While, for thepurposes of this disclosure, the disclosed embodiments will be describedin relation to the Internet, one of ordinary skill in the art willappreciate that the disclosed embodiments are not limited to theInternet and are applicable to other types of public networks as well asprivate networks, and combinations thereof, and all such networks arecontemplated.

I. Introduction

As an introduction, a network interconnects one or more computers sothat they may communicate with one another, whether they are in the sameroom or building (such as a Local Area Network or LAN) or across thecountry from each other (such as a Wide Area Network or WAN). A networkis series of points or nodes 126 interconnected by communications paths128. Networks can interconnect with other networks and can containsub-networks. A node 126 is a connection point, either a redistributionpoint or an end point, for data transmissions generated between thecomputers which are connected to the network. In general, a node 126 hasa programmed or engineered capability to recognize and process orforward transmissions to other nodes 126. The nodes 126 can be computerworkstations, servers, bridges or other devices but typically, thesenodes 126 are routers.

A router is a device or, in some cases, software in a computer, thatdetermines the next network node 126 to which a piece of data (alsoreferred to as a “packet” in the Internet context) should be forwardedtoward its destination. The router is connected to at least two networksor sub-networks and decides which way to send each information packetbased on its current understanding of the state of the networks it isconnected to. A router is located at any juncture of two networks,sub-networks or gateways, including each Internet point-of-presence(described in more detail below). A router is often included as part ofa network switch. A router typically creates or maintains a table of theavailable routes and their conditions and uses this information alongwith distance and cost algorithms to determine the best route for agiven packet. Typically, a packet may travel through a number of networkpoints, each containing additional routers, before arriving at itsdestination.

The communications paths 128 of a network 100, such as the Internet, canbe coaxial cable, fiber optic cable, telephone cable, leased telephonelines such as T1 lines, satellite links, microwave links or othercommunications technology as is known in the art. The hardware andsoftware which allows the network to function is known as the“infrastructure.” A network 100 can also be characterized by the type ofdata it carries (voice, data, or both) or by the network protocol usedto facilitate communications over the network's 100 physicalinfrastructure.

The Internet, in particular, is a publicly accessible worldwide network100 which primarily uses the Transport Control Protocol and InternetProtocol (“TCP/IP”) to permit the exchange of information. At a higherlevel, the Internet supports several applications protocols includingthe Hypertext Transfer Protocol (“HTTP”) for facilitating the exchangeof HTML/World Wide Web (“WWW”) content, File Transfer Protocol (“FTP”)for the exchange of data files, electronic mail exchange protocols,Telnet for remote computer access and Usenet for the collaborativesharing and distribution of information. It will be appreciated that thedisclosed embodiments are applicable to many different applicationsprotocols both now and later developed.

Logically, the Internet can be thought of as a Web of intermediatenetwork nodes 126 and communications paths 128 interconnecting thosenetwork nodes 126 which provide multiple data transmission routes fromany given point to any other given point on the network 100 (i.e.between any two computers connected to the network). Physically, theInternet can also be thought of as a collection of interconnectedsub-networks wherein each sub-network contains a portion of theintermediate network nodes 126 and communications paths 128. Thedivision of the Internet into sub-networks is typically geographicallybased, but can also be based on other factors such as resourcelimitations and resource demands. For example, a particular city may beserviced by one or more Internet sub-networks provided and maintained bycompeting Internet Service Providers (“ISP's”) (discussed in more detailbelow) to support the service and bandwidth demands of the residents.

Contrasting the Internet with an intranet, an intranet is a privatenetwork contained within an enterprise, such as a corporation, whichuses the TCP/IP and other Internet protocols, such as the World WideWeb, to facilitate communications and enhance the business concern. Anintranet may contain its own Domain Name Server (“DNS”) (described inmore detail below) and may be connected to the Internet via a gateway,i.e., an intra-network connection, or gateway in combination with aproxy server (described in more detail below) or firewall, as are knownin the art.

Referring back to FIG. 1, clients 102, 104, 106 and servers 108, 110,112 are shown coupled with the network 100. Herein, the phrase “coupledwith” is defined to mean directly connected to or indirectly connectedwith through one or more intermediate components. Such intermediatecomponents may include both hardware and software based components. Thenetwork 100 facilitates communications and interaction between one ormore of the clients 102, 104, 106 and one or more of the servers 108,110, 112 (described in more detail below). Alternatively, the network100 also facilitates communications and interaction among one or more ofthe clients 102, 104, 106, e.g. between one client 102, 104, 106 andanother client 102, 104, 106 or among one or more of the servers 108,110, 112, e.g. between one server 108, 110, 112 and another server 108,110, 112.

A client 102, 104, 106 may include a personal computer workstation,mobile or otherwise, wireless device such as a personal digitalassistant or cellular telephone, an enterprise scale computing platformsuch as a mainframe computer or server or may include an entire intranetor other private network which is coupled with the network 100.Typically, a client 102, 104, 106 initiates data interchanges with othercomputers, such as servers 108, 110, 112 coupled with the network 100.These data interchanges most often involve the client requesting data orcontent from the other computer and the other computer providing thatdata or content in response to the request. Alternatively, the othercomputer coupled with the network can “push” data or content to theclient 102, 104, 106 without it first being requested. For example, anelectronic mail server 108, 110, 112 may automatically push newlyreceived electronic mail over the network 100 to the client 102, 104,106 as the new electronic mail arrives, alleviating the client 102, 104,106 from first requesting that new mail be sent. It will be apparent toone of ordinary skill in the art that there can be many clients 102,104, 106 coupled with the network 100.

A server 108, 110, 112 may include a personal computer workstation, anenterprise scale computing platform or other computer system as areknown in the art. A server 108, 110, 112 typically responds to requestsfrom clients 102, 104, 106 over the network 100. In response to therequest, the server 108, 110, 112 provides the requested data or contentto the client 102, 104, 106 which may or may not require some sort ofprocessing by the server 108, 110, 112 or another computer to producethe requested response. It will be apparent to one of ordinary skill inthe art that a client 102, 104, 106 may also be a server 108, 110, 112and vice versa depending upon the nature of the data interchange takingplace. For purposes of this disclosure, a client 102, 104, 106 requestsor receives content and is separate from a server 108, 110, 112 whichprovides content (whether requested or not, i.e. pushed). Preferably,servers 108, 110, 112 are World Wide Web servers serving Web pagesand/or Web content to the clients 102, 104, 106 (described in moredetail below). It will be apparent to one of ordinary skill in the artthat there can be many servers 108, 110, 112 coupled with the network100.

Clients 102, 104, 106 are each coupled with the network 100 at a pointof presence (“POP”) 114, 116. The POP 114, 116 is the connecting pointwhich separates the client 102, 104, 106 from the network 100. In apublic network 100, such as the Internet, the POP 114, 116 is thelogical (and possibly physical) point where the public network 100 ends,after which comes the private hardware or private network of the client102, 104, 106. A POP 114, 116 is typically provided by a serviceprovider 118, 120, such as an Internet Service Provider (“ISP”) 118,120, which provides connectivity to the network 100 on a fee for servicebasis. A POP 114, 116 may actually reside in rented space owned bytelecommunications carrier such as AT&T or Sprint to which the ISP 118,120 is connected. A POP 114, 116 may be coupled with routers,digital/analog call aggregators, servers 108, 110, 112, and frequentlyframe relay or ATM switches. As will be discussed below, a POP 114, 116may also contain cache servers and other content delivery devices.

A typical ISP 118, 120 may provide multiple POP's 114, 116 tosimultaneously support many different clients 102, 104, 106 connectingwith the network 100 at any given time. A POP 114, 116 is typicallyimplemented as a piece of hardware such as a modem or router but mayalso include software and/or other hardware such as computer hardware tocouple the client 102, 104, 106 with the network 100 bothphysically/electrically and logically (as will be discussed below). Theclient 102, 104, 106 connects to the POP 114, 116 over a telephone lineor other transient or dedicated connection. For example, where a client102, 104, 106 is a personal computer workstation with a modem, the ISP118, 120 provides a modem as the POP 114, 116 to which the client 102,104, 106 can dial in and connect to via a standard telephone line. Wherethe client 102, 104, 106 is a private intranet, the POP 114, 116 mayinclude a gateway router which is connected to an internal gatewayrouter within the client 102, 104, 106 by a high speed dedicatedcommunication link such as T1 line or a fiber optic cable.

A service provider 118, 120 will generally provide POP's 114, 116 whichare geographically proximate to the clients 102, 104, 106 beingserviced. For dial up clients 102, 104, 106, this means that thetelephone calls can be local calls. For any client 102, 104, 106, a POPwhich is geographically proximate typically results in a faster and morereliable connection with the network 100. Servers 108, 110, 112 are alsoconnected to the network 100 by POP's 114, 116. These POP's 114, 116typically provide a dedicated, higher capacity and more reliableconnection to facilitate the data transfer and availability needs of theserver 108, 110, 112. Where a client 102, 104, 106 is a wireless device,the service provider 118, 120 may provide many geographically dispersedPOP's 114, 116 to facilitate connecting with the network 100 fromwherever the client 102, 104, 106 may roam or alternatively haveagreements with other service providers 118, 120 to allow access by eachother's customers. Each service provider 118, 120, along with its POP's114, 116 and the clients 102, 104, 106 effectively forms a sub-networkof the network 100.

Note that there may be other service providers 118, 120 “upstream” whichprovide network 100 connectivity to the service providers 118, 120 whichprovide the POP's 114, 116. Each upstream service provider 118, 120along with its downstream service providers 118, 120 again forms asub-network of the network 100. Peering is the term used to describe thearrangement of traffic exchange between Internet service providers(ISPs) 118, 120. Generally, peering is the agreement to interconnect andexchange routing information. More specifically, larger ISP's 118, 120with their own backbone networks (high speed, high capacity networkconnections which interconnect sub-networks located in disparategeographic regions) agree to allow traffic from other large ISP's 118,120 in exchange for traffic on their backbones. They also exchangetraffic with smaller service providers 118, 120 so that they can reachregional end points where the POP's 114, 116 are located. Essentially,this is how a number of individual sub-network owners compose theInternet. To do this, network owners and service providers 118, 120,work out agreements to carry each other's network traffic. Peeringrequires the exchange and updating of router information between thepeered ISP's 118, 120, typically using the Border Gateway Protocol(BGP). Peering parties interconnect at network focal points such as thenetwork access points (NAPs) in the United States and at regionalswitching points. Private peering is peering between parties that arebypassing part of the publicly accessible backbone network through whichmost Internet traffic passes. In a regional area, some service providers118, 120 have local peering arrangements instead of, or in addition to,peering with a backbone service provider 118, 120.

A network access point (NAP) is one of several major Internetinterconnection points that serve to tie all of the service providers118, 120 together so that, for example, an AT&T user in Portland, Oreg.can reach the Web site of a Bell South customer in Miami, Fla. The NAPsprovide major switching facilities that serve the public in general.Service providers 118, 120 apply to use the NAP facilities and maketheir own inter-company peering arrangements. Much Internet traffic ishandled without involving NAPs, using peering arrangements andinterconnections within geographic regions.

For purposes of later discussions, the network 100 can be furtherlogically described to comprise a core 122 and an edge 124. The core 122of the network 100 includes the servers 108, 110, 112 and the bulk ofthe network 100 infrastructure, as described above, including largerupstream service providers 118, 120, and backbone communications links,etc. Effectively, the core 122 includes everything within the network100 up to the POP's 114, 116. The POP's 114, 116 and their associatedhardware lie at the edge 124 of the network 100. The edge 124 of thenetwork 100 is the point where clients 102, 104, 106, whether singledevices, computer workstations or entire corporate internal networks,couple with the network 100. As defined herein, the edge 124 of thenetwork 100 may include additional hardware and software such as DomainName Servers, cache servers, proxy servers and reverse proxy servers aswill be described in more detail below. Typically, as the network 100spreads out from the core 122 to the edge 124, the total availablebandwidth of the network 100 is diluted over more and more lower costand lower bandwidth communications paths. At the core 122, bandwidthover the higher capacity backbone interconnections tends to be morecostly than bandwidth at the edge 124 of the network 100. As with alleconomies of scale, high bandwidth interconnections are more difficultto implement and therefore rarer and more expensive than low bandwidthconnections. It will be appreciated, that even as technology progresses,newer and higher bandwidth technologies will remain more costly thanlower bandwidth technologies.

II. The World Wide Web

As was discussed above, clients 102, 104, 106 engage in datainterchanges with servers 108, 110, 112. On the Internet, these dataexchanges typically involve the World Wide Web (“WWW”). Relative to theTCP/IP suite of protocols (which are the basis for information exchangeon the Internet), HTTP is an application protocol. A technicaldefinition of the World Wide Web is all the resources and users on theInternet that are using the Hypertext Transfer Protocol (“HTTP”). HTTPis the set of rules for exchanging data in the form of files (text,graphic images, audio, video, and other multimedia files, such asstreaming media and instant messaging), also known as Web content,between clients 102, 104, 106 and servers 108, 110, 112. Servers 108,110, 112 which serve Web content are also known as Web servers 108, 110,112.

Essential concepts that are part of HTTP include (as its name implies)the idea that files/content can contain references to otherfiles/content whose selection will elicit additional transfer requests.Any Web server 108, 110, 112 contains, in addition to the files it canserve, an HTTP daemon, a program that is designed to wait for HTTPrequests and handle them when they arrive. A personal computer Webbrowser program, such as Microsoft™ Internet Explorer, is an HTTP clientprogram (a program which runs on the client 102, 104, 106), sendingrequests to Web servers 108, 110, 112. When the browser user enters filerequests by either “opening” a Web file (typing in a Uniform ResourceLocator or URL) or clicking on a hypertext link, the browser builds anHTTP request and sends it to the Web server 108, 110, 112 indicated bythe URL. The HTTP daemon in the destination server 108, 110, 112receives the request and, after any necessary processing, returns therequested file to the client 102, 104, 106.

The Web content which a Web server typically serves is in the form ofWeb pages which consist primarily of Hypertext Markup Language.Hypertext Markup Language (“HTML”) is the set of “markup” symbols orcodes inserted in a file intended for display on a World Wide Webbrowser. The markup tells the Web browser how to display a Web page'swords and images, as well as other content, for the user. The individualmarkup codes are referred to as elements or tags. Web pages can furtherinclude references to other files which are stored separately from theHTML code, such as image or other multimedia files to be displayed inconjunction with the HTML Web content.

A Web site is a related collection of Web files/pages that includes abeginning HTML file called a home page. A company or an individual tellssomeone how to get to their Web site by giving that person the addressor domain name of their home page (the addressing scheme of the Internetand the TCP/IP protocol is described in more detail below). From thehome page, links are typically provided to all the other pages (HTMLfiles) located on their site. For example, the Web site for IBM™ has thehome page address of http://www.ibm.com. Alternatively, the home pageaddress may include a specific file name like index.html but, as inIBM's case, when a standard default name is set up, users don't have toenter the file name. IBM's home page address leads to thousands ofpages. (But a Web site can also be just a few pages.)

Since site implies a geographic place, a Web site can be confused with aWeb server 108, 110, 112. As was discussed above, a server 108, 110, 112is a computer that holds and serves the HTML files, images and otherdata for one or more Web sites. A very large Web site may be spread overa number of servers 108, 110, 112 in different geographic locations orone server 108, 110, 112 may support many Web sites. For example, a Webhosting company may provide server 108, 110, 112 facilities to a numberof Web sites for a fee. Multiple Web sites can cross-link to files onother Web sites or even share the same files.

III. The Domain Name System

As was described above, the network 100 facilitates communicationsbetween clients 102, 104, 106 and servers 108, 110, 112. Morespecifically, the network 100 facilitates the transmission of HTTPrequests from a client 102, 104, 106 to a server 108, 110, 112 and thetransmission of the server's 108, 110, 112, response to that request,the requested content, back to the client 102, 104, 106. In order toaccomplish this, each device coupled with the network 100, whether it bea client 102, 104, 106 or a server 108, 110, 112 must provide a uniqueidentifier so that communications can be routed to the correctdestination. On the Internet, these unique identifiers comprise domainnames (which generally will include World Wide Web Uniform ResourceLocators or “URL's”) and Internet Protocol addresses or “IP” addresses.Every client 102, 104, 106 and every server 108, 110, 112 must have aunique domain name and IP address so that the network 100 can reliablyroute communications to it. Additionally, clients 102, 104, 106 andservers 108, 110, 112 can be coupled with proxy servers (forward,reverse or transparent), discussed in more detail below, which allowmultiple clients 102, 104, 106 or multiple servers 108, 110, 112 to beassociated with a single domain name or a single IP address. Inaddition, a particular server 108, 110, 112 may be associated withmultiple domain names and/or IP addresses for more efficient handling ofrequests or to handle multiple content providers, e.g. multiple Websites, on the same server 108, 110, 112. Further, as was discussedabove, since a POP 114, 116 provides the connecting point for anyparticular client 102, 104, 106 to connect to the network 100, it isoften satisfactory to provide each POP 114, 116 with a unique domainname and IP address since the POP 114, 116 will reliably deliver anycommunications received by it to its connected client 102, 104, 106.Where the client 102, 104, 106 is a private network, it may have its owninternal hardware, software and addressing scheme (which may alsoinclude domain names and IP addresses) to reliably deliver data receivedfrom the POP 114, 116 to the ultimate destination within the privatenetwork client 102, 104, 106.

As was discussed, the Internet is a collection of interconnectedsub-networks whose users communicate with each other. Each communicationcarries the address of the source and destination sub-networks and theparticular machine within the sub-network associated with the user orhost computer at each end. This address is called the IP address(Internet Protocol address). In the current implementation of theInternet, the IP address is a 32 bit binary number divided into four 8bit octets. This 32-bit IP address has two parts: one part identifiesthe source or destination sub-network (with the network number) and theother part identifies the specific machine or host within the source ordestination sub-network (with the host number). An organization can usesome of the bits in the machine or host part of the address to identifya specific sub-network within the sub-network. Effectively, the IPaddress then contains three parts: the sub-network number, an additionalsub-network number, and the machine number.

One problem with IP addresses is that they have very little meaning toordinary users/human beings. In order to provide an easier to use, moreuser friendly network 100, a symbolic addressing scheme operates inparallel with the IP addressing scheme. Under this symbolic addressingscheme, each client 102, 104, 106 and server 108, 110, 112 is also givena “domain name” and further, individual resources, content or data aregiven a Uniform Resource Locator (“URL”) based on the domain name of theserver 108, 110, 112 on which it is stored. Domain names and URL's arehuman comprehensible text and/or numeric strings which have symbolicmeaning to the user. For example, a company may have a domain name forits servers 108, 110, 112 which is the company name, i.e., IBMCorporation's domain name is ibm.com. Domain names are further used toidentify the type of organization to which the domain name belongs.These are called “top-level” domain names and include com, edu, org,mil, gov, etc. Com indicates a corporate entity, edu indicates aneducational institution, mil indicates a military entity, and govindicates a government entity. It will be apparent to one of ordinaryskill in the art that the text strings which make up domain names may bearbitrary and that they are designed to have relevant symbolic meaningto the users of the network 100. A URL typically includes the domainname of the provider of the identified resource, an indicator of thetype of resource and an identifier of the resource itself. For example,for the URL “http://www.ibm.com/index.html”, http identifies thisresource as a hypertext transfer protocol compatible resource,www.ibm.com is the domain name (again, the www is arbitrary andtypically is added to indicate to a user that the server 108, 110, 112,associated with this domain name is a world wide Web server), andindex.html identifies a hypertext markup language file named“index.html” which is stored on the identified server 108, 110, 112.

Domain names make the network 100 easier for human beings to utilize it,however the network infrastructure ultimately uses IP addresses, and notdomain names, to route data to the correct destination. Therefore, atranslation system is provided by the network 100 to translate thesymbolic human comprehensible domain names into IP addresses which canthen be used to route the communications. The Domain Name System (“DNS”)is the way that Internet domain names are located and translated into IPaddresses. The DNS is a distributed translation system of addresstranslators whose primary function is to translate domain names into IPaddresses and vice versa. Due to the ever expanding number of potentialclients 102, 104, 106 and servers 108, 110, 112 coupled with the network100 (currently numbering in the millions), maintaining a central list ofdomain name/IP address correspondences would be impractical. Therefore,the lists of domain names and corresponding IP addresses are distributedthroughout the Internet in a hierarchy of authority. A DNS server,typically located within close geographic proximity to a serviceprovider 118, 120 (and likely provided by that service provider 118,120), handles requests to translate the domain names serviced by thatservice provider 118, 120 or forwards those requests to other DNSservers coupled with the Internet for translation.

DNS translations (also known as “lookups” or “resolutions”) can beforward or reverse. Forward DNS translation uses an Internet domain nameto find an IP address. Reverse DNS translation uses an Internet IPaddress to find a domain name. When a user enters the address or URL fora Web site or other resource into their browser program, the address istransmitted to a nearby router which does a forward DNS translation in arouting table to locate the IP address. Forward DNS translations are themore common translation since most users think in terms of domain namesrather than IP addresses. However, occasionally a user may see a Webpage with a URL in which the domain name part is expressed as an IPaddress (sometimes called a dot address) and wants to be able to see itsdomain name, to for example, attempt to figure the identity of who isproviding the particular resource. To accomplish this, the user wouldperform a reverse DNS translation.

The DNS translation servers provided on the Internet form a hierarchythrough which any domain name can be “resolved” into an IP address. If aparticular DNS translation server does not “know” the corresponding IPaddress of a given domain name, it “knows” other DNS translation serversit can “ask” to get that translation. This hierarchy includes“top-level” DNS translation servers which “know” which resources(clients 102, 104, 106 or servers 108, 110, 112) have a particular toplevel domain identifier, i.e. com, gov, edu, etc. as described above.This hierarchy further continues all the way up to the actual resource(client 102, 104, 106 or server 108, 110, 112) which is typicallyaffiliated with a DNS translation server which “knows” about it and itsIP address. A particular DNS translation server “knows” of a translationwhen it exists in its table of translations and has not expired. Anyparticular translation will typically be associated with a Time to Live(“TTL”) which specifies a duration, time or date after which thetranslation expires. As discussed, for a given translation, if a DNStranslation server does not know the translation, because it is not inits routing table or it has expired, that DNS translation server willhave to inquire up the hierarchical chain of DNS translation servers inorder to make the translation. In this way, new domain name and IPaddress translations can be propagated through the DNS translationserver hierarchy as new resources are added and old resources areassigned new addresses.

Referring now to FIG. 2, there is shown a diagram illustrating the basicoperation of the Domain Name System 200. Depicted in the figure areclients 102, 104, 106, labeled “Client 1”, “Client 2” and “Client 3.”Clients 1 and 2 are coupled with POP's 114 provided by service provider120, labeled “POP1A” and “POP1B.” Client 3 is coupled with a POP (notshown) provided by service provider 118, labeled “POP2.” In addition,service providers 118, 120 may provide additional POP's 114 for otherclients 102, 104, 106 as described above. Service provider 120 is shownfurther coupled with service provider 118, a server 108, labeled “Server1”, preferably a Web server and more preferably an entire Web site whichmay comprise multiple sub-servers (not shown) as discussed above, and atop-level DNS translation server 202, labeled “DNS Top”, all via thenetwork 100 which is preferably the Internet. Furthermore, serviceprovider 120 further includes a DNS translation server 204, labeled “DNSA” and routing and interconnection hardware 206, as described above, toelectrically and logically couple the POP's 114 with the network 100.Optionally, the service provider 120 may also include a cache server 208or proxy server (not shown) to enhance content delivery as describedbelow.

In order for a client 102, 104, 106 to generate a request for content toa particular server 108, the client 102, 104, 106 first determines theIP address of the server 108 so that it can properly address itsrequest. Referring to Client 1 102, an exemplary DNS translationtransaction where the client 102, 104, 106 is a single workstationcomputer is depicted. A user of Client 1 enters a URL or domain name ofthe Server 1 108 and specific resource contained within Server 1, suchas a sub-server, into their browser program in order to make a requestfor content. The browser program typically handles negotiating the DNStranslation transaction and typically has been pre-programmed (“bound”)with the IP address of a particular DNS translation server to go tofirst in order to translate a given domain name. Typically, this boundDNS translation server will be DNS A 204 provided by the serviceprovider 120. Alternatively, where the client 102, 104, 106 is not boundto a particular DNS translation server, the service provider 120 canautomatically route translation requests received by its POP's 114 toits DNS translation server, DNS A 202. The process by which a domainname is translated is often referred to as the “slow start” DNStranslation protocol. This is in contrast to what is known as the “slowstart HTTP” protocol which will be discussed below in more detail inrelation to content delivery.

Client 1 102 then sends its translation request, labeled as “A1”, to itsPOP 114, POP1A. The request, A1, is addressed with a return address ofClient 1 and with the IP address of the bound DNS A 204 therefore theservice provider's 120 routing equipment 206 automatically routes therequest to DNS A 204, labeled as “B.” Assuming DNS A 204 does not knowhow to translate the given domain name in the request or the translationin its routing table has expired, it must go up the DNS hierarchy tocomplete the translation. DNS A 204 will then forward a request, labeled“C”, upstream to the top-level DNS translation server 202 associatedwith the top-level domain in the domain address, i.e. com, gov, edu etc.DNS A 204 has been pre-programmed with the IP addresses of the varioushierarchical servers that it may need to talk to in order to complete atranslation. DNS A 204 addresses request C with the IP address of thetop-level DNS server 202 and also includes its own return address. DNAthen transmits the request over the network 100 which routes the requestto the top level DNS server 202. The top-level DNS server 202 will thentranslate and return the IP address corresponding to Server 1 108 backto DNS A 204 via the network 100, labeled “D.”

As was discussed above, a particular domain name may be associated withmultiple IP addresses of multiple sub-servers 108, 110, 112, as in thecase of a Web site which, due to its size, must be stored acrossmultiple sub-servers 108, 110, 112. Therefore, in order to identify theexact sub-server which can satisfy the request of the Client 1 102, DNSA 204 must further translate the domain address into the specificsub-server 108. In order to accomplish this, Server 1 108 provides itsown DNS translation server 210 which knows about the various sub-serversand other resources contained within Server 1 108. DNS A 204, nowknowing the IP address of Server 1 108, e.g. the Web site generally, cancreate a request, labeled “E”, to translate the domain name/URL providedby Client 1 102 into the exact sub-server/resource on Server 1 108. DNSB 210 returns the translation, labeled “F”, to DNS A 204 which thenreturns it to Client 1 102 via the service provider's routing equipment206, labeled “G”, which routes the response through POP1A 114 to theClient 1, labeled “H1.” Client 1 102 now has the IP address it needs toformulate its content requests to Server 1 108.

FIG. 2, further depicts an exemplary DNS translation transaction whereinthe client 102, 104, 106 is a private network such as an intranet. Forexample, client 2 104 may comprise its own network of computer systems.Further more, client 2 104 may provide its own DNS translation server(not shown) to handle internal routing of data as well as the routing ofdata over the network 100 generally for the computer systems coupledwith this private network. In this case, the internal DNS translationserver will either be programmed to send its unknown translations to DNSA (labeled as “A2”, “B”, “C”, “D”, “E”, “F”, “G”, “H2”) or may beprogrammed to use the DNS hierarchy itself, i.e. communicate directlywith the upstream DNS Top 202 and DNS B 210 (labeled as “A2”, “B2”,“C2”, “D2”, “E2”, “F2”, “G2”, “H2”). In these cases, the internal DNStranslation server simply adds another layer to the DNS hierarchy as awhole, but the system continues to function similarly as describedabove.

In addition, FIG. 2, further depicts an exemplary DNS translationtransaction wherein the client 102, 104, 106 is coupled with a POP 114that is not associated with its bound DNS translation server 204. Forexample, Client 3 106 is depicted as being coupled with POP2 provided byservice provider 118. In the exemplary situation, Client 3 106 is boundwith DNS A 204 provided by service provider 120. This situation canoccur in the wireless environment, where a particular wireless client102, 104, 106 couples with whatever POP 114, 116 is available in itsgeographic proximity (e.g. when roaming) and is affiliated, e.g. hasaccess sharing agreements, with the service provider 120 who generallyprovides connectivity services for the client 102, 104, 106. In thiscase, client 3 106 will perform its translation requests as describedabove, and will address these requests to its bound DNS Server, in thiscase DNS A 204. The service provider 118 will see the address of the DNSA 204 in client 3's 106 translation requests and appropriately route thetranslation request over the network 100 to service provider 120 andultimately on to DNS A 204. DNS A 204 will appropriately handle therequest and return it via the network 100 accordingly (labeled as “A3”,“B”, “C”, “D”, “E”, “F”, “G”, “H3”).

It will be appreciated that in each of the examples given above, if aparticular DNS translation server already “knows” the requestedtranslation, the DNS translation server does not have to go up thehierarchy and can immediately return the translation to the requester,either the client 102, 104, 106 or downstream DNS translation server.

It should be noted, that because a given server 108, 110, 112 maycomprise multiple IP addresses, the DNS translation servers may beprogrammed to return a list of IP addresses in response to a givendomain name translation request. Typically, this list will be orderedfrom the most optimal IP address to the least optimal IP address. Thebrowser program can then pick one of the IP addresses to send contentrequests to and automatically switch to another IP address should thefirst requests fail to reach the destination server 108, 110, 112 due toa hardware failure or network 100 congestion. It will further beappreciated that the operations and structure of the existing DNS systemare known to those of ordinary skill in the art.

IV. Content Delivery

As mentioned above, once the DNS translation is complete, the client102, 104, 106 can initiate its requests for content from the server 108.Typically, the requests for content will be in the form of HTTP requestsfor Web content as described above. In order to alleviate server 108overload, the HTTP protocol provides a “slow start” mechanism. As wasdescribed above, a Web page consists of HTML code plus images,multimedia or other separately stored content. Typically, the amount ofHTML code contained within a Web page is very small compared to theamount of image and/or multimedia data. When a client requests a Webpage from the server 108, the server 108 must serve the HTML code andthe associated image/multimedia data to the client 102, 104, 106.However, the client 102, 104, 106, upon receipt of the HTML code, maydecide, for whatever reason, that it does not want the associatedimage/multimedia data. To prevent the server 108 from wasting processingand bandwidth resources unnecessarily by sending unwanted data, the HTTPslow start protocol forces the client 102, 104, 106 to first request theHTML code and then subsequent to receipt of that HTML code, request anyassociated separately stored content. In this way, if after the initialrequest, the client 102, 104, 106 disconnects or otherwise switches tomaking requests of another server 108, the initial server 108 is notburdened with serving the unwanted or unnecessary content.

In addition, it important to note that clients 102, 104, 106 may belocated very far from each other, either geographically or evenlogically in consideration of the network topology. For example, aclient 102, 104, 106 may be located in Chicago, Ill. while the server108 from which it is requesting content is located in Paris, France.Alternatively, client 102, 104, 106 may be located in the same city asserver 108 but, due to the topology of the network 100, there may bemultiple nodes 126 and interconnecting communications paths 128 betweenthe client 102, 104, 106 and the server 108 necessitating a lengthyroute for any data transmitted between the two. Either scenario cansignificantly impact the response time of a server 108 to a givenrequest from a client 102, 104, 106. Adding in the fact that the network100 may be servicing millions of clients 102, 104, 106 and servers 108at any given time, the response time may be further impacted by reducedbandwidth and capacity caused by network congestion at the server 108 orat one or more intermediate network nodes 126.

Servers 108 and service providers 118, 120 may attempt to alleviate thisproblem by increasing the speed and bandwidth capacity of the network100 interconnections. Further, servers 108 may attempt to alleviate slowrequest response times by providing multiple sub-servers which canhandle the volume of requests received with minimal latency. Thesesub-servers can be provided behind a reverse proxy server which, asdescribed above, is “tightly coupled” with the Web site and can routecontent requests directed to a single IP address, to any of the multiplesub-servers. This reduces the number of individual translations thathave to be made available to the DNS translation system and kept up todate for all of the sub-servers. The reverse proxy server can alsoattempt to balance the load across multiple sub-servers by allocatingincoming requests using, for example, a round-robin routine. Reverseproxy servers can further include a cache server as described below tofurther enhance the Server's 108 ability to handle a high volume ofrequests or the serving of large volumes of data in response to anygiven request. It will be appreciated that reverse proxy servers andload balancing techniques are generally known to those of ordinary skillin the art.

Clients 102, 104, 106 and service providers 118, 120 (and, as describedabove, servers 108) may attempt to alleviate this problem by including acache or cache server 208. A cache server 208 is a server computer (oralternatively implemented in software directly on the client 102, 104,106 or another computer coupled with the client 102, 104, 106 such as atthe POP 114) located, both logically and geographically, relativelyclose to the client 102, 104, 106. The cache server 208 saves/caches Webpages and other content that clients 102, 104, 106, who share the cacheserver, have requested in the past. Successive requests for the samecontent can then be satisfied by the cache server 208 itself without theneed to contact the source of the content. A cache server 208 reducesthe latency of fulfilling requests and also reduces the load on thecontent source. Further, a cache server 208 at the edge 124 of theInternet reduces the consumption of bandwidth at the core 122 of theInternet where it is more expensive. The cache server 208 may be a partof a proxy server or may be provided by a service provider 118, 120.

Cache servers 208 invisibly intercept requests for content and attemptto provide the requested content from the cache (also known as a “hit”).Note that a cache server 208 is not necessarily invisible, especiallywhen coupled with a proxy server. In this case, the client 102, 104, 106may need to be specially programmed to communicate its content requeststo the proxy server in order to utilize the cache server. Cache servers208, as referred to in this disclosure then, may include these visiblecache servers as well as invisible cache servers which transparentlyintercept and attempt to service content requests. Where the requestedcontent is not in the cache (also known as a “miss”), the cache forwardsthe request onto the content source. When the source responds to therequest by sending the content to the client 102, 104, 106, the cacheserver 208 saves a copy of the content in its cache for later requests.In the case where a cache server is part of a proxy server, thecache/proxy server makes the request to the source on behalf of theclient 102, 104, 106. The source then provides the content to thecache/proxy server which caches the content and also forwards therequested content to the client 102, 104, 106. An exemplary softwarebased cache server is provided by SQUID, a program that caches Web andother Internet content in a UNIX-based proxy server closer to the userthan the content-originating site. SQUID is provided as open sourcesoftware and can be used under the GNU license for free software, as isknown in the art.

Caches operate on two principles, temporal locality and spatiallocality. Temporal locality is a theory of cache operation which holdsthat data recently requested will most likely be requested again. Thistheory dictates that a cache should store only the most recent data thathas been requested and older data can be eliminated from the cache.Spatial Locality is a theory of cache operation which holds that datalocated near requested data (e.g. logically or sequentially) will belikely to be requested next. This theory dictates that a cache shouldfetch and store data in and around the requested data in addition to therequested data. In practice, this means that when a HTML Web page isrequested, the cache should go ahead and request the separately storedcontent, i.e. begin the slow start process because more likely than not,the client 102, 104, 106 will request this data upon receipt of the HTMLcode.

While cache servers 208 alleviate some of the problems with netcongestion and request response times, they do not provide a totalsolution. In particular, they do not provide a viable solution fordynamic content (content which continually changes, such as news, asopposed to static or fixed content). This type of content cannot becached otherwise the requesting client 102, 104, 106 will receive staledata. Furthermore, cache servers 208 often cannot support the bandwidthand processing requirements of streaming media, such as video or audio,and must defer these content requests to the server 108 which are thesource of the content. Cache servers 208, in general, further lack thecapability to service a large volume of requests from a large volume ofclients 102, 104, 106 due to the immense capacity requirements.Typically, then general cache servers 208, such as those provided by aservice provider 118, 120 will have high miss rates and low hit rates.This translates into a minimal impact on server 108 load, requestresponse times and network 100 bandwidth. Moreover, as will be discussedbelow, by simply passing on requests which miss in the cache to theserver 108 to handle, the server 108 is further subjected to increasedsecurity risks from the untrusted network 100 traffic which maycomprise, for example, a denial of service attack or an attempt by ahacker to gain unauthorized access.

Referring now to FIG. 3, there is depicted an enhanced content deliverysystem 300 which provides optimized caching of content from the server108 to the client 102, 104, 106 utilizing the HTTP slow start protocol.The system 300 is typically provided as a pay-for service by a contentdelivery service to which particular servers 108 subscribe to in orderto enhance requests made by clients 102, 104, 106 for their specificcontent. FIG. 3 depicts the identical DNS system of FIG. 2 but addscache servers 302 and 304, labeled “Cache C1” and “Cache C2” plus aspecial DNS translation server 306, labeled “DNS C” affiliated with thecontent delivery service.

The depicted system 300 implements one known method of “ContentDelivery.” Content delivery is the service of copying the pages of a Website to geographically dispersed cache servers 302, 304 and, when a pageis requested, dynamically identifying and serving the page from theclosest cache server 302, 304 to the requesting client 102, 104, 106,enabling faster delivery. Typically, high-traffic Web site owners andservice providers 118, 120 subscribe to the services of the company thatprovides content delivery. A common content delivery approach involvesthe placement of cache servers 302, 304 at major Internet access pointsaround the world and the use of a special routing code embedded in theHTML Web pages that redirects a Web page request (technically, aHypertext Transfer Protocol—HTTP—request) to the closest cache server302, 304. When a client 102, 104, 106 requests the separately storedcontent of a Web site/server 108 that is “content-delivery enabled,” thecontent delivery network re-directs that client 102, 104, 106 to makesits request, not from the site's originating server 108, but to a cacheserver 302, 304 closer to the user. The cache server 302, 304 determineswhat content in the request exists in the cache, serves that content tothe requesting client 102, 104, 106, and retrieves any non-cachedcontent from the originating server 108. Any new content is also cachedlocally. Other than faster loading times, the process is generallytransparent to the user, except that the URL ultimately served back tothe client 102, 104, 106 may be different than the one initiallyrequested. Content delivery is similar to but more selective and dynamicthan the simple copying or mirroring of a Web site to one or severalgeographically dispersed servers. It will further be appreciated thatgeographic dispersion of cache servers is generally known to those ofordinary skill in the art.

FIG. 3 further details a known method of re-directing the requestsgenerated by the client 102, 104, 106 to a nearby cache server 302, 304.This method utilizes the HTTP slow start protocol described above. Whena client 102, 104, 106 wishes to request content from a particularserver 108, it will obtain the IP address of the server 108, asdescribed above, using the normal DNS translation system. Once theserver's 108 IP address is obtained, the client 102, 104, 106 will makeits first request for the HTML code file which comprises the desired Webpage. As given by the HTTP slow start protocol, the server 108 willserve the HTML code file to the client 102, 104, 106 and then wait forthe client 102, 104, 106 to request the separately stored files, e.g.,the image and multimedia files, etc. Normally, these requests are madein the same way that the initial content request was made, by readingeach URL from the HTML code file which identifies the separately storedcontent and formulating a request for that URL. If the domain name forthe URL of the separately stored content is the same as the domain namefor the initially received HTML code file, then no further translationsare necessary and the client 102, 104, 106 can immediately formulate arequest for that separately stored content because it already has the IPaddress. However, if the URL of the separately stored content comprisesa different domain name, then the client 102, 104, 106 must go throughthe DNS translation process again to translate the new domain name intoan IP address and then formulate its requests with the appropriate IPaddress. The exemplary content delivery service takes advantage of thisHTTP slow start protocol characteristic.

The exemplary content delivery service partners with the subscribing Webserver 108 and modifies the URL's of the separately stored contentwithin the HTML code file for the particular Web page. The modifiedURL's include data which will direct their translation requests to aspecific DNS translation server 306, DNS C provided by the contentdelivery service. DNS C is an intelligent translation server whichattempts to figure out where the client 102, 104, 106 is geographicallylocated and translate the URL to point to a cache server 302, 304 whichis geographically proximate to the client 102, 104, 106. DNS C performsthis analysis by knowing the IP address of the downstream DNS server204, DNS A which it assumes is located near the client 102, 104, 106. Byusing this IP address and combining it with internal knowledge of thenetwork 100 topology and assignment of IP addresses, DNS C 306 candetermine the geographically optimal cache server 302, 304 to serve therequested content to the client 102, 104, 106.

An exemplary transaction is further depicted by FIG. 3. In thisexemplary transaction, Client 3 106 wishes to request content fromServer 1 108. Client 3 106 will establish the IP address of the sourceof the desired content using the standard DNS translation systemdescribed above, labeled “A1”, “B”, “C”, “D”, “E”, “F”, “G”, “H1.” OnceClient 3 106 has the IP address of Server 1 108, it will generate arequest for the initial HTML code file of the desired Web page andServer 1 108 will respond with the data. Client 3 106 will then requesta particular separately stored file associated with the Web page byreading the URL from the HTML code file and translating the domain namecontained therein. As noted above, this URL comprises the domain name ofthe content delivery service as well as an identifier which identifiesthe content being requested (since the content delivery servicetypically handles many different servers 108). Client 3 106 willgenerate another translation request to DNS A 204, labeled “I1” and “J.”DNS A 204 will attempt to translate the given domain name but will failbecause the content delivery service has set all of its translations tohave a TTL=0. Therefore, DNS A 204 will be required to contact DNS C 306which is provided by the content delivery service, labeled “K” and “L.”Note that DNS A 204 may be required to contact DNS top 202 in order tolocate the IP address of DNS C 306. DNS C 306 receives the translationrequest and knows the IP address of DNS A 204, which was given as thereturn address for the translation. Using the IP address of DNS A 204,DNS C 306 figures out which cache server 302, 304 is geographicallyproximate to Client 3 106, in this case, Cache C2 304. An appropriate IPaddress is then returned to by DNS C 306 to DNS A 204 and subsequentlyreturned to Client 3 106. Client 3 106 then formulates its request forthe separately stored data but, unwittingly, uses the IP address of thecache server C2 304. Cache server C2 304 receives the request and servesthe desired content as described above.

FIG. 3 further illustrates a second exemplary transaction sequence whichdiscloses a flaw in the depicted content delivery method. In thisexample, Client 1 102 wishes to request content from Server 1 108.Client 1 102 is a wireless or mobile client which is coupled withservice provide 118 at POP2 but is bound to DNS A 204 provided byservice provider 120. In this example, all of the translation andrequest transactions occur as in the above example for Client 3 106. Thetranslation request to identify the IP address of the separately storedcontent will be handled by DNS A 204 which will then hand it off to DNSC 306 as described above. However, DNS C 306 will then attempt toidentify a geographically proximate cache server 302, 304 based on theIP address of DNS A 204 which is not located near Client 1 102 in thisexample. Therefore DNS C 306 will return a translation directing Client1 102 to cache server C2 304 when in fact, the optimal cache serverwould have been cache server C1 302. With more and more wireless andmobile user utilizing the Internet, mis-optimized re-direction ofcontent delivery will happen more frequently. Furthermore, there may becases where the Client 102, 104, 106 is dynamically bound to a DNStranslator associated with whatever POP 114, 116 they are connecting to.While this may appear to solve the problem, the content delivery serviceis still basing its redirection determination on an indirect indicatorof the location of the client 102, 104, 106. However, the IP address ofthe DNS translator may still fail to indicate the correct geographiclocation or the correct logical location (based on the topology of thenetwork 100) of the client 102, 104, 106 in relation to the DNStranslator. A more accurate indicator of the client's 102, 104, 106physical geographic location and/or network logical location is neededin order to make an accurate decision on which cache server 302, 304 toredirect that client 102, 104, 106 to.

V. The First Embodiment

Referring now to FIG. 4, there is depicted a first embodiment of anenhanced DNS system to facilitate the operation of content deliveryservices by eliminating the dependency on the geographic location of thedownstream DNS server. In addition to what is shown in FIG. 3, theembodiment shown in FIG. 4 further adds an edge server 402 coupled withthe routing equipment 206 and POP's 114 of an affiliated serviceprovider 120 and preferably located within the affiliated serverprovider's 120 facilities. In one alternative embodiment, the edgeserver 402 is integrated with a router. In another alternativeembodiment, the edge server is integrated with a generally accessibleDNS translation server such as DNS A1 204. The edge server 402 iscapable of monitoring the network traffic stream passing between thePOP's 114 and the network 100, including the service provider's 120hardware, such as the cache 208 and the DNS translation server 204, DNSA. The edge server 402 is further capable of selectively interceptingthat traffic and preventing it from reaching its intended destination,modifying the intercepted traffic and reinserting the modified trafficback into the general network traffic stream. It is preferred that thefacilities and capabilities of the edge server 402 be provided tocontent delivery services and or Web servers 108 on a fee for servicesbasis as will be described below. Further, it is preferred that an edgeserver 402 be provided at every major service provider 118, 120 so as tobe able to selectively intercept network traffic at all possible POP's114, 116 of the network 100.

Referring to FIG. 4A, the edge server 402 includes a request interceptor404, a request modifier 406, and a request forwarder 408. The edgeserver 402 preferably includes one or more processors, a memory coupledwith the processors and one or more network interfaces or otherinterfaces, also coupled with the processors and operative to couple orintegrate the edge server 402 with the routing equipment of the serviceprovider 120. Optionally, the edge server 402 may include secondarystorage including a second memory such as a cache memory, hard disk orother storage medium. Further, the processors of the edge server 402 maybe dedicated processors to perform the various specific functionsdescribed below. The edge server 402 preferably further includessoftware and/or firmware provided in a read only memory or in asecondary storage which can be loaded into memory for execution or,alternatively, executed from the secondary storage by the processors, toimplement the various functions as detailed below. To further improveperformance, such software functionality may also be provided byapplication specific integrated circuits (“ASICS”). For example, an edgeserver 402 can comprise a Compaq TaskSmart™ Server manufactured byCompaq Corporation, located in Austin, Tex. The TaskSmart™ Server caninclude an Intel IXA1000 Packet Processor manufactured by IntelCorporation, located in Santa Clara, Calif. to perform the trafficmonitoring and port specific traffic interception functions as well asthe security applications as detailed below. The TaskSmart™ Server canfurther include a PAX.port 1100™ classification adapter manufactured bySolidum Corporation, located in Scotts Valley, Calif., which can receiveintercepted DNS translation requests from the packet processor and,utilizing a look up table (preferably stored in a memory providing highspeed access), determine whether or not the request is associated with asubscribing server 108, as described below. The classification adaptercan attempt to resolve the DNS request or hand it off to a generalprocessor such as an Intel Pentium III™ or other general purposeprocessor for further operations as detailed below. An exemplary edgeserver 402 may have six 9.1 GB hot pluggable hard drives preferably in aRAID or other redundant configuration, two redundant hot pluggable powersupplies, five 10/100 Ethernet ports and 1 GB of main memory and capableof handling in excess of 1250 requests per second.

The request interceptor 404 listens to the network traffic passingbetween the POP's 114 of the affiliated service provider 120 and thenetwork 100 and selectively intercepts DNS translation requestsgenerated by any of the clients 102, 104 coupled with the particularaffiliated service provider 120. Such interception is preferablyaccomplished by identifying the destination “port” of any given datapacket generated by a client 102, 104, alternatively other methods ofidentifying a packet type may be used such as by matching thedestination address with a list of known DNS translation serveraddresses. A port in programming is a “logical connection place” andspecifically, within the context of the Internet's communicationsprotocol, TCP/IP, a port is the way a client program specifies aparticular applications program on a computer in a network to receiveits requests. Higher-level applications that use the TCP/IP protocolsuch as HTTP, or the DNS translation protocol, have ports withpre-assigned numbers. These are known as “well-known ports” and havebeen assigned by the Internet Assigned Numbers Authority (IANA). Otherapplication processes are given port numbers dynamically for eachconnection. When a service (server program) initially is started, it issaid to bind to its designated port number. As any client program wantsto use that server, it also must request to bind to the designated portnumber. Port numbers are from 0 to 65536. Ports 0 to 1024 are reservedfor use by certain privileged services. For the HTTP service, port 80 isdefined as a default and it does not have to be specified in the UniformResource Locator (URL). In an alternative embodiment, the routingequipment 206 of the service provider 120 is programmed to forward allDNS translation requests to the edge server 402. The request interceptor404 can then choose which DNS translation requests to intercept asdescribed below. This alternative routing scheme may implemented througha traffic routing protocol such as a Domain Name System TranslationProtocol (“DNSTP”). This protocol is implemented in similar fashion tothe Web Cache Control Protocol (“WCCP”) which is used to redirect HTTPrequests to proxy cache servers based on the specified port in thepacket.

DNS translation requests are identified by the port number 53. Therequest interceptor 404 monitors for all data traffic with the specifiedport number for a DNS translation request. It then is capable ofintercepting DNS translation requests generated by clients 102, 104 suchas computer workstations, wireless devices or internal DNS translatorson a private network. The request interceptor 404 is aware of whichcontent delivery services subscribe to the edge server 402 service andis operative to selectively intercept DNS translation requestsassociated with the subscribing content delivery service, i.e. containtranslations intended to be translated by the DNS translator of thecontent delivery service or server 108. The request interceptor 404 mayprovide a table or database stored in memory or other storage devicewhere it can look up the service subscribers to determine whether theparticular DNS translation request should be intercepted. It ispreferred that the request interceptor 404 make this determination at“wire speed”, i.e. at a speed fast enough so as not to impact thebandwidth and throughput of the network traffic it is monitoring.

When a DNS translation request is generated by a client 102, 104 totranslate a domain name associated with the content delivery service, asdescribed above for the modified HTTP slow start protocol, to retrievethe separately stored Web page content, that DNS translation requestwill be selectively intercepted by the request interceptor 404 of theedge server 402. The interception will occur before it reaches thebound/destination DNS translation server bound to or specified by theclient 102, 104. The request interceptor 404 will then pass theintercepted DNS translation request to the request modifier 406.

The request modifier 406 modifies the DNS translation request to includeadditional information or indicia related to the client 102, 104 so thatthe intelligent DNS translation server of the content delivery serviceor server 108 can make a more optimized decision on which of thegeographically dispersed cache servers 302, 304 would be optimal toserve the requests of the client 102, 104. This additional informationcan include the geographic location of the POP 114 or thecharacteristics of the downstream network infrastructure, such aswhether the client 102, 104 is connecting to the POP 114 via a modemconnection or a broadband connection or whether the client 102, 104 is awired or wireless client, etc. It will be appreciated that there may beother information or indicia that the edge server 402 can provide toenhance the DNS translation request and this may depend on thecapabilities of the subscribing content delivery services, and all suchadditional indicia are contemplated. It is preferable that thesubscribing content service providers are familiar with the indicia datatypes, content and possible encoding schemes which the edge server 402can provide so as to establish a protocol by which the data istransferred to the subscribing content delivery service. Suchinformation is then recognized and used by the content delivery serviceto enhance their redirection. For example, by knowing the geographiclocation of the POP 114 as provided by the edge server 402, the contentdelivery service does not need to rely on the IP address of the boundDNS server from which it receives the translation request (described inmore detail below) and therefore will make a more accurate determinationof which cache server 302, 304 to choose. Similarly, by knowing thecapabilities of the downstream network infrastructure from the POP 114to the client 102, 104 as provided by the edge server 402, the contentdelivery service can redirect content requests by the client 102, 104 toa cache server 302, 304 with capabilities which match. For example,where the POP 114 to client 102, 104 connection is a broadbandconnection, the client 102, 104 can be directed to make its requests toa cache server 302, 304 capable of utilizing the available bandwidth tothe client 102, 104. In contrast, where the client 102, 104 connects tothe POP 114 via a modem/standard telephone line connection, the contentdelivery service can direct that client 102, 104 to make its requests toan appropriate low speed cache server 302, 304 so as not to waste theresources of high bandwidth cache servers 302, 304.

Once the DNS translation request has been modified, the request modifier406 passes the DNS translation request to the request forwarder 408. Therequest forwarder places the modified DNS translation request back intothe general stream of network traffic where it can be routed to itsoriginally intended destination, i.e. the bound or specified DNStranslation server 204, 410 bound to or specified by the originatingclient. The DNS translation server 204, 410 will translate the requestas described above, by contacting the DNS translation server 306, DNS Cassociated with the content delivery service. As described above, theintelligent DNS translation server 306 of the content delivery servicewill see the modified request and utilize the information/indiciaincluded by the edge server 402 to make a more optimal translation andcache server 302, 304 assignment.

FIG. 4 depicts an exemplary content delivery transaction between Client1 102 and Server 1 108. For the purposes of this example transaction,Client 1 102 is bound to DNS translation server 204, labeled “DNS A1.”Client 1 102 initiates the HTTP slow start protocol as described aboveby making its initial request for an HTML Web page from Server 1 108.This initiation may require making several DNS translations as describedabove, labeled as “A”, “B1”, “C1”, “D1”, “E1”, “F1”, “G1”, “H.” Once theHTML Web page has been received by Client 1 102, it will begin torequest the separately stored content associated with the Web page. Aswas discussed above, where Server 1 108 has been “content enabled” andsubscribes to the content delivery service, the URL's of the separatelystored content will comprise the domain name of the content deliveryservice. As well, as discussed above, these domain names will requirecomplete DNS translation all the way back to the DNS translation server306, DNS C of the content delivery service because the content deliveryservice ensures that all of its translations have TTL=0 and thereforecannot be stored in any given downstream DNS translation server.Therefore, Client 1 102 will initiate a DNS translation for the URL ofthe separately stored content, labeled “I.” This DNS translation requestwill go through the POP 114 and to the routing equipment 206 of theservice provider 120. The edge server 402 will see this DNS translationrequest and identify the domain name of the content service provider asa subscriber to its service. The request interceptor 404 will thenintercept the DNS translation request, labeled as “J.” The requestinterceptor 404 will pass the intercepted DNS translation request to therequest modifier 406 which will append a geographic indicationrepresenting the physical geographic location of the edge server 402 oralternatively, other downstream network characteristics. Given that theedge server 402 is located geographically proximate to the POP's 114,this information will more accurately represent the location of Client 1102. Alternatively, while the edge server 402 may not be geographicallyproximate to the POP's 114, it may be network proximate to the POP's114, i.e. there may be a minimal of network infrastructure between thePOP's 114 and the edge server 402. In some instances, while one deviceon a network may sit physically right next to another device on thenetwork, the network topology may dictate that data flowing betweenthose devices flow over a circuitous route to get from one device to theother. In this case, while the devices are physically close to oneanother, they are not logically close to one another. The edge server402 is preferably familiar, not only with its geographic location withinthe context of the network 100 as a whole, but also its logicallocation. Using this information, the edge server 402 can furtherinclude information as to this logical location so as to enable, notonly a geographically optimal redirection of Client 1's 102 requests butalso a network topology based optimized redirection.

The request modifier 406 will then pass the modified DNS translationrequest to the request forwarder 408 which will place the request backinto the general traffic stream, and in this case, on its way to theoriginal intended recipient, Client 1's 102 bound DNS translation server204, DNS A1, labeled as “K1.” DNS A1 204 will then translate themodified DNS translation request as described above and return thetranslation to Client 1 102, labeled as “L1”, “M1”, “N1”, “O.” DNS C306, using the additional data provided by the edge server 402, willsupply a DNS translation redirecting Client 1's 102 requests to Cache C2304 which is the optimal cache server.

FIG. 4 further depicts a second exemplary content delivery transactionbetween Client 1 102 and Server 1 108. For the purposes of this secondexample transaction, Client 1 102 is a wireless or mobile wired deviceconnecting to a POP 114 provided by service provider 120 but is bound toDNS translation server 410, labeled “DNS A2” provided by serviceprovider 118. Note that in the previous exemplary transaction above,Client 1 102 was bound to DNS A1 204, e.g., Client 1 102 was astationary computer or private network subscribing to the network 100connection services of service provider 120 and using the POP's 114provided by the service provider 120 and that service provider's 120 DNStranslation server 204, DNS A1. In the current example, Client 1 102 isa subscriber to the network 100 connections services of service provider118 but is currently roaming, i.e. geographically located in an area notserviced by a POP 116 provided by service provider 118. Therefore Client1 102 must use a POP 114 provided by a service provider 120, which forexample, has an agreement to allow such connections from serviceprovider's 118 customers. However, because DNS translation servers arebound to the Client 102, i.e. the address of the preferred DNStranslation server is programmed into the Client 102, Client 102 willstill use its programmed or bound DNS translation server, typically theDNS translation server provided by its service provider 118, in thiscase DNS A2 410.

As above, Client 1 102 initiates the HTTP slow start protocol asdescribed above by making its initial request for an HTML Web page fromServer 1 108. This initiation may require making several DNStranslations as described above but using DNS A2 410 instead of DNS A1204, labeled as transactions “A”, “B2”, “C2”, “D2”, “E2”, “F2”, “G2”,“H.” Once the HTML Web page has been received by Client 1 102, it willbegin to request the separately stored content associated with the Webpage. As was discussed above, where Server 1 108 has been “contentenabled” and subscribes to the content delivery service, the URL's ofthe separately stored content will comprise the domain name of thecontent delivery service. As well, as discussed above, these domainnames will require complete DNS translation all the way back to the DNStranslation server 306, DNS C of the content delivery service becausethe content delivery service ensures that all of its translations haveTTL=0 and therefore cannot be stored in any given downstream DNStranslation server. Therefore, Client 1 102 will initiate a DNStranslation for the URL of the separately stored content, labeled “I.”This DNS translation request will go through the POP 114 and to therouting equipment 206 of the service provider 120. The edge server 402will see this DNS translation request and identify the domain name ofthe content service provider as a subscriber to its service. The requestinterceptor 404 will then intercept the DNS translation request, labeledas “J.” The request interceptor 404 will pass the intercepted DNStranslation request to the request modifier 406 which will append ageographic indication representing the physical geographic location ofthe edge server 402. Given that the edge server 402 is locatedgeographically proximate to the POP's 114, this information will moreaccurately represent the location of Client 1 102. Alternatively, whilethe edge server 402 may not be geographically proximate to the POP's114, it may be network proximate to the POP's 114, i.e. there may be aminimal of network infrastructure between the POP's 114 and the edgeserver 402. In some instances, while one device on a network may sitphysically right next to another device on the network, the networktopology may dictate that data flowing between those devices flow over acircuitous route to get from one device to the other. In this case,while the devices are physically close to one another, they are notlogically close to one another. The edge server 402 is preferablyfamiliar, not only with its geographic location within the context ofthe network 100 as a whole, but also its logical location. Using thisinformation, the edge server 402 can further include information as tothis logical location so as to enable, not only a geographically optimalredirection of Client 1's 102 requests but also a network optimizedredirection.

The request modifier 406 will then pass the modified DNS translationrequest to the request forwarder 408 which will place the request backinto the general traffic stream, and in this case, on its way to theoriginal intended recipient, Client 1's 102 bound DNS translation server410, DNS A2, labeled as “K2.” DNS A2 410 will then translate themodified DNS translation request as described above and return thetranslation to Client 1 102, labeled as “L2”, “M2”, “N2”, “O.” In thiscase, without the additional data provided by the edge server 402, DNS C306 would have made its redirection determination based on the IPaddress of DNS A2 410, as described above. This would have resulted inClient 1 102 being redirected to Cache C1 302 instead of the optimalcache for its location. However, DNS C 306, using the additional dataprovided by the edge server 402 is able to supply a DNS translationredirecting Client 1's 102 requests to Cache C2 304 which is the optimalcache server.

VI. The Second Embodiment

Referring to FIG. 5, there is depicted a second embodiment of anenhanced DNS system to facilitate content delivery which is notdependent upon the geographic location of the downstream DNS server andis capable of enhancing the HTTP slow start protocol.

FIG. 5 shows Clients 1 and 2 102, 104 coupled with POP's 114, POP1A andPOP1B of service provider 120. As described above, service provider 120includes routing equipment 206, Cache 208 and DNS translation server 204to facilitate coupling the POP's 114 with the network 100. In addition,service provider 120 further includes an edge server 502 and an edgecache 508. In one alternative embodiment, the edge server 502 isintegrated with a router. In another alternative embodiment, the edgeserver 502 is integrated with a generally accessible DNS translationserver such as DNS A 204. In still another alternative embodiment, theedge server 502 can be integrated with the edge cache 504 or each can beprovided as separate devices or the edge server 502 can utilize anexisting cache server 208 provided by the service provider 120. Forclarity, a number of the components of FIG. 4 have been omitted fromFIG. 5.

Referring to FIG. 5A, the edge server 502 further includes a requestinterceptor 504 and an edge DNS translation server 506. It is preferredthat the facilities and capabilities of the edge server 502 be providedto Web servers 108 on a subscription or fee for services basis as willbe described below. It is further preferred that an edge server 502 andedge cache 508 be provided at every service provider 118, 120 or atevery major network 100 intersection so as to provide coverage of everyPOP 114, 116 on the edge 124 of the network 100. The edge server 402preferably includes one or more processors, a memory coupled with theprocessors and one or more network interfaces or other interfaces, alsocoupled with the processors and operative to couple or integrate theedge server 502 with the routing equipment of the service provider 120.Optionally, the edge server 502 may include secondary storage includinga second memory such as a cache memory, hard disk or other storagemedium. Further, the processors of the edge server 502 may be dedicatedprocessors to perform the various specific functions described below.The edge server 502 preferably further includes software and/or firmwareprovided in a read only memory or in a secondary storage which can beloaded into memory for execution or, alternatively, executed from thesecondary storage by the processors, to implement the various functionsas detailed below. To further improve performance, such softwarefunctionality may also be provided by application specific integratedcircuits (“ASICS”). For example, an edge server 502 can comprise aCompaq TaskSmart™ Server manufactured by Compaq Corporation, located inAustin, Tex. The TaskSmart™ Server can include an Intel 1×A1000 PacketProcessor manufactured by Intel Corporation, located in Santa Clara,Calif. to perform the traffic monitoring and port specific trafficinterception functions as well as the security applications as detailedbelow. The TaskSmart™ Server can further include a PAX.port 1100™classification adapter manufactured by Solidum Corporation, located inScotts Valley, Calif., which can receive intercepted DNS translationrequests from the packet processor and, utilizing a look up table(preferably stored in a memory providing high speed access), determinewhether or not the request is associated with a subscribing server 108,as described below. The classification adapter can attempt to resolvethe DNS request or hand it off to a general processor such as an IntelPentium III™ or other general purpose processor for further operationsas detailed below. An exemplary edge server 502 may have six 9.1 GB hotpluggable hard drives preferably in a RAID or other redundantconfiguration, two redundant hot pluggable power supplies, five 10/100Ethernet ports and 1 GB of main memory and capable of handling in excessof 1250 requests per second.

As described above, the request interceptor 504 operates to selectivelyintercept DNS translation requests associated with its subscribing Webserver 108 generated by clients 1 and 2 102, 104. Alternatively, DNStranslation requests can be forwarded to the request interceptor 504 bythe service provider's 120 routing equipment 206 as described above. Inthis embodiment, however, because the request interceptor 504 ismonitoring for DNS translation requests associated with the server 108and not some separate content delivery service, the request interceptor504 will selectively intercept all DNS translation requests, includingthe initial request to retrieve the HTML Web page file and begin theHTTP slow start protocol. Again, the request interceptor 504 preferablyincludes a database or table stored in a memory or other storage mediumwhich indicates the domain names or other identification information ofsubscribing servers 108.

The selectively intercepted DNS translation requests are passed by therequest interceptor 504 to an internal edge DNS translation server 506.The internal edge DNS translation server 506 then translates the givendomain name into the IP address of the edge cache 508 and returns thistranslation to the client 102, 104, labeled “A”, “B”, “C”, “D.” Thiseffectively redirects the client 102, 104 to make all of its contentrequests from the edge cache 508. As opposed to a proxy server, wherethe client 102, 104 is not redirected but either thinks that it iscommunicating with the server 108 (in the case of a transparent orserver side reverse proxy server) or has been specifically programmed tocommunicate its requests to the proxy server (in the case of a clientside forward proxy server). The edge cache 508 operates as a normalcache server as described above, attempting to satisfy content requestsfrom its cache storage. However, when the requested content is notavailable in the cache storage (a cache miss), the request is proxied tothe server 108 by the edge cache 508 and/or edge server 502, i.e. theedge cache 508 and/or edge server 502 make the request on behalf of theclient 102, 104. This is in contrast to normal cache servers whichforward the request from the client 102, 104 onto the server 108 upon acache miss.

Cache misses are handled as described above, the edge server 502 oralternatively the edge cache 508 makes its own request for the uncachedcontent from the server 108. Alternatively, other algorithms can be usedto reduce or eliminate cache misses including mirroring the content ofthe server 108 coupled with periodic updates either initiated by theedge server 502 or edge cache 508 or periodically pushed to the edgecache 508 by the server 108. In another alternative embodiment, theserver 108 can update cached content when it determines that suchcontent has changed or can provide time durations or other form ofexpiration notification after which the edge cache 508 purges thecontent. Where the content expires or is otherwise purged from the edgecache 508, the next request for that content will miss and cause areload of the content from the server 108. One of ordinary skill in theart will recognize that there are many caching algorithms which may beused to maintain cache coherency. It is further preferable that the edgecache 508 maintain a replacement policy of replacing the oldest data inthe cache when the cache is full. Again, one of ordinary skill in theart will recognize that there are many different cache replacementalgorithms that may be used.

In this way, the edge server 502 and edge cache 508 act similarly to aforward or reverse proxy server for all of its subscribing servers 108.Generally, a reverse proxy server is a proxy server that hides multiplesource servers behind a single address. A reverse proxy server allows acontent provider to serve their content from multiple host computerswithout requiring users to know the addresses of each of thosecomputers. When a user makes a request to a content provider, they usethe address of the reverse proxy server. The reverse proxy serverintercepts the requests for content from the source and redirects thoserequests to the appropriate host computer within the content provider.The redirection can be based on a which machine contains the requestedcontent or can be used to balance the request load across multiplemirrored servers. A forward proxy server sits between a workstation userand the Internet so that the enterprise can ensure security,administrative control and caching services. A forward proxy server canbe associated with a gateway server which separates the enterprisenetwork from an outside network such as the Internet. The forward proxyserver can also be associated with a firewall server which protects theenterprise network from outside intrusion. Forward proxy servers acceptrequests from their users for Internet content and then request thatcontent from the source on behalf of the user. The forward proxy servermodifies the identity of the requestor (typically by altering theinternet protocol address of the requestor) to be that of the forwardproxy server. A user workstation typically must be configured to use aproxy server. A forward proxy server can also be a cache server (seeabove).

A major distinction between the edge server 502 and a proxy server isthat there is no one address of the edge server 502. The edge server 502effectively needs no address because it intercepts the necessary networktraffic. Therefore, clients 102, 104 do not need to know of theexistence of the edge server 502 and can operate as they normally do,making content requests of servers 108. However, when they requestcontent from a subscribing server 108, that content will betransparently provided instead by the edge server 502 and edge cache508.

Effectively, the edge server 502 and edge cache 508 isolate thesub-network comprising the service provider 120, the POP's 114 and theclients 102, 104 from the subscribing server 108, i.e. the clients 102,104 are prevented from any direct contact with server 108. Should theclient 102, 104 request uncached content, it is the edge cache 508 andnot the client 102, 104 which will request that content from the server108. Furthermore, the edge server 502 and edge cache 508 can ensure thatthe request is valid and legitimate before communicating with the server108. This “trusted” relationship between the edge server 502/edge cache508 and the subscribing servers acts as additional security for theservers 108. Those servers 108 can be programmed to ignore contentrequests from clients 102, 104 since they know that only valid contentrequests can come from an edge server 502/edge cache 508. Furthermore,the edge server 502 alleviates the load on the server's 108 internal DNStranslation server 210 because all DNS translations will be handled bythe internal edge DNS translator 506.

The effect of the edge server 502 and edge cache 508 is faster DNStranslations and better response times to requests. The edge cache 508can serve the initial HTML Web page file to the requesting client 102,104 and immediately begin the process of requesting the separatelystored content (if not already in the cache) from the server 108 inorder to speed up the HTTP slow start protocol. Furthermore, it ispreferred that the edge caches 508 located through out the edge 124 ofthe network 100 be capable of communicating and sharing cached data. Inthis way, the edge caches 508 can further reduce the demands placed onthe subscribing servers 108.

Notice, however, that because the edge server 502 intercepts translationrequests, a client 102, 104 that already knows the IP address of theserver 108, can still directly communicate with that server 108 via thenetwork 100. In this case, the server 108 can choose to disconnectitself from the network 100 generally (or refuse to accept any inboundcontent requests from the network 100 that do not originate from an edgeserver 502/edge cache 508, however such origination may be forged). Theedge server 502 and edge cache 508 can then connect with the server 108using private proprietary communications links which are not availableto clients 102, 104.

The edge server 502 and edge cache 508 can also provide load balancingand security services to the subscribing servers. For example, opensource load balancing techniques available from eddieware.org can beimplemented in the edge server 502. Where a particular server 108comprises multiple sub-servers, the edge cache 508 can be programmed torequest uncached content from the sub-servers so as to spread the loadon each sub-server.

Further, because the edge server 502 acts as the DNS translator serverfor its subscribers, it can detect and absorb any security attacks basedon the DNS system, such as distributed denial of service attacks,“DDOS.” A Denial of Service Attack (“DOS” or Distributed DOS “DDOS”) isan incident in which a user or organization is deprived of the servicesof a resource they would normally expect to have. Typically, the loss ofservice is the inability of a particular network service, such ase-mail, to be available or the temporary loss of all networkconnectivity and services. In the worst cases, for example, a Web siteaccessed by millions of people can occasionally be forced to temporarilycease operation. A denial of service attack can also destroy programmingand files in a computer system. Although usually intentional andmalicious, a denial of service attack can sometimes happen accidentally.A denial of service attack is a type of security breach to a computersystem that does not usually result in the theft of information or othersecurity loss. However, these attacks can cost the target person orcompany a great deal of time and money.

DDOS attacks come in mainly two varieties, one attempts to shut down theDNS system in relation to the target site so that no legitimate user canobtain a valid translation and make a request from the site. Anothertype of DDOS attack attempts to overload the server 108 directly with aflood of content requests which exceed the capacity of the server.However, it will be appreciated that, by placing edge servers 502 andedge caches 508 so that all POP's 114, 116 are covered and can bemonitored, DDOS attacks can never reach the server 108 itself and willalways be detected close to their origination by an edge server 502where they can be stopped and isolated. It will be further apparent thatwhere a DDOS attack cripples one edge server 502 and its associatedsub-network, the remaining edge servers 502 at other service providers118, 120 (and their associated sub-networks) can remain operational andtherefore the server 108 suffers minimal impact as a result of the DDOSattack. In addition, it is preferred that the edge server 502 and edgecache 508 provide bandwidth and processing power far in excess of thatneeded by the sub-network comprising the POP's 114 and service provider120 in order to be able to absorb DDOS attacks and not be crippled bythem.

It will further be appreciated, that the edge server 502 can incorporatethe capabilities of the edge server 402 by providing enhanced DNStranslations for subscribing content delivery services as well as theenhanced content delivery itself for subscribing servers 108.

In addition, where client 102, 104 is a private network such as anintranet, which has its own internal DNS translation server which ismaking DNS translation requests out to the network 100, the edge server502 can set its returned DNS translations to have a TTL=0 so that theclient's 102, 104 internal DNS server must always forward DNStranslation requests to subscribing server 108 upstream where they canbe intercepted by the edge server 502. Otherwise, the caching functionof the client's 102, 104 internal DNS translation server would preventproper DNS translations from occurring. Notice that this is not an issuein the first embodiment, because as discussed above, the contentdelivery service performs the DNS translations and always setstranslation TTL=0 to facilitate its operation.

VII. The Third Embodiment

Referring to FIG. 6, there is depicted an enhanced network 100 tofacilitate content delivery and network 100 security. FIG. 6 depictsclients 1 and 2 102, 104 connected with POP's 114, POP2A and POP2B ofservice provider 118 effectively forming a sub-network of the network100. Further, clients 3 and 4 106, 612 are shown connected to POP's 116,POP1A and POP1B of service provider 120. Further, service providers 118,120 each include an edge server 602A, 602B and an edge cache 604A, 604Bcoupled with the routing equipment 206 of the service providers 118, 120so as to be able to intercept all network traffic flowing between thePOP's 114, 116 and the network 100. In one alternative embodiment, theedge server 602 is integrated with a router. In another alternativeembodiment, the edge server 602 is integrated with a generallyaccessible DNS translation server such as DNS A1 204 or DNS A2 410. Instill another alternative embodiment, the edge server 602 is integratedwith the edge cache 604, or alternatively they can be implemented asseparate devices or the edge server 602 can utilize a cache server 208provided by the service provider 118, 120 (not showing in FIG. 6). It ispreferred that the facilities and capabilities of the edge servers 602be provided to Web servers 108 on a subscription or fee for servicesbasis as will be described below. It is further preferred that an edgeserver 602 and edge cache 604 be provided at every service provider 118,120 or at every major network 100 intersection so as to provide coverageof every POP 114, 116 on the edge 124 of the network 100, i.e. tominimize the size of the sub-network downstream from the edge server602.

Referring to FIG. 6A, the edge server 602 further includes a requestfilter 606, a request interceptor 608 and a proxy server and/or internalDNS translation server 610. The edge server 602 is capable of operatingsimilarly to the edge server 402 and 502 of the previous embodiments.However, the edge server 602 is further capable of intercepting datatraffic at the packet level based on the source or destination IPaddress contained within the packets flowing past the edge server 602.In this way, the edge server 602 is able to provide complete isolationof its subscribing servers 108, 110. Any network traffic destined for asubscribing server 108, 110 can be intercepted by the edge server 602and acted upon. The edge server 602 preferably includes one or moreprocessors, a memory coupled with the processors and one or more networkinterfaces or other interfaces, also coupled with the processors andoperative to couple or integrate the edge server 602 with the routingequipment of the service provider 120. Optionally, the edge server 602may include secondary storage including a second memory such as a cachememory, hard disk or other storage medium. Further, the processors ofthe edge server 602 may be dedicated processors to perform the variousspecific functions described below. The edge server 602 preferablyfurther includes software and/or firmware provided in a read only memoryor in a secondary storage which can be loaded into memory for executionor, alternatively, executed from the secondary storage by theprocessors, to implement the various functions as detailed below. Tofurther improve performance, such software functionality may also beprovided by application specific integrated circuits (“ASICS”). Forexample, an edge server 602 can comprise a Compaq TaskSmart™ Servermanufactured by Compaq Corporation, located in Austin, Tex. TheTaskSmart™ Server can include an Intel IXA1000 Packet Processormanufactured by Intel Corporation, located in Santa Clara, Calif. toperform the traffic monitoring and port specific traffic interceptionfunctions as well as the security applications as detailed below. TheTaskSmart™ Server can further include a PAX.port 1100™ classificationadapter manufactured by Solidum Corporation, located in Scotts Valley,Calif., which can receive intercepted DNS translation requests from thepacket processor and, utilizing a look up table (preferably stored in amemory providing high speed access), determine whether or not therequest is associated with a subscribing server 108, as described below.The classification adapter can attempt to resolve the DNS request orhand it off to a general processor such as an Intel Pentium III™ orother general purpose processor for further operations as detailedbelow. An exemplary edge server 602 may have six 9.1 GB hot pluggablehard drives preferably in a RAID or other redundant configuration, tworedundant hot pluggable power supplies, five 10/100 Ethernet ports and 1GB of main memory and capable of handling in excess of 1250 requests persecond.

For valid content requests from clients 102, 104, 106, 612, the edgeserver 602 in combination with the edge cache 604 acts just like theedge server 502 and edge cache 508 in the previous embodiment. Suchrequests will be redirected and served from the edge cache 604. Again anedge cache 604A at one service provider 118 can share cached data fromanother edge cache 604B located at another service provider 120. In thisway, a comprehensive content delivery service is created whichcompletely isolates the core 122 of the network 100 from untrusted andunregulated client 102, 104, 106, 602 generated network traffic. Suchtraffic is isolated at the edge 124 of the network 100 within thesub-network below, i.e. downstream from the edge server 602 where it canbe contained, monitored and serviced more efficiently. In terms of theeconomics of the network 100 then, the load on the expensive highbandwidth communications resources located at the core 122 of thenetwork 100 is reduced and maintained at the edge 124 of the networkwhere bandwidth is less expensive.

In addition, the edge server's 602 packet level filter 606 prevents anyclient 102, 104, 106, 612 from directly communicating with anysubscribing server 108, 110 even if that client 102, 104, 106, 612 hasthe IP address of the server 108, 110. The packet level filter 608 willsee the destination IP address in the network traffic and selectivelyintercept that traffic.

Once traffic is intercepted, the edge server 602 can perform many valueadded services. As described above, the edge server 602 can perform DNStranslations and redirect clients 102, 104, 106, 612 to make theircontent requests to the edge cache 604. The edge server 602 can alsomonitor the data transmission being generated by clients 102, 104, 106,602 for malicious program code, i.e. program code that has beenpreviously identified (by the server 108 or a third party such as avirus watch service) as unwanted, harmful, or destructive such asviruses or other unauthorized data being transmitted. For example, ifthe edge server 602A detects a data packet whose origin address couldnot have come from the downstream network or POP's 114 to which it isconnected, the edge server 602A knows that this data packet must be aforgery and can eradicate it or prevent it from reaching the network100. For example, where a computer hacker surreptitiously installs aprogram on client 1 102 to make a DDOS attack on server 1 108 but appearas if the attack is coming from client 4 612, the edge server 602A willsee the packets generated by Client 1 102 and also see that they containa source address associated with a client, in this case client 4 612,which based on the address, could not have come from any POP 114 of theservice provider 118 to which the edge server 602A is connected. In thiscase, the edge server 602A can eliminate that packet and then attempt toidentify the actual originating client, in this case client 1 102, sothat the attack can be stopped and investigated. In addition, becausegeneral network traffic is unable to reach the subscribing servers 108,110, hackers would be unable to access those servers in attempts tosteal valuable data such as credit card numbers.

Furthermore, to enhance security, as described above, the connectionsbetween the edge servers 602A, 602B and edge caches 604A, 604B canalternatively be made through private communications links instead ofthe publicly accessible network 100. In this way, only trustedcommunications over secure communications links can reach the servers108, 110. This security in combination with the multiple dispersed edgeservers 602A, 602B and edge caches 604A, 604B covering the edge 124 ofthe network 100 ensures that the subscribing servers 108, 110 will beable to serve their content under high demand and despite securitythreats.

In operation, the request filter 606 pre-filters traffic before receiptby the request interceptor 608. The request filter 606 preferablyprovides subscriber detection, “ingress filtering” capability, and cachehit determination. The request filter 606 first determines whether ornot the traffic it is monitoring is associated with asubscribing/affiliated server 108, 110. If not, this traffic is ignoredand allowed to proceed to its final destination. The request filter 606preferably comprises a table or database of subscribers stored in amemory or other storage device. If the traffic is associated with asubscribing server 108, 110, the request filter 606 then performsingress filtering by determining whether the packet originateddownstream from the edge server 602, i.e. from the downstreamsub-network, the POP's 114, 116 affiliated with this particular edgeserver 602 or from upstream which indicates that they did not originatefrom an affiliated POP 114, 116 and therefore are suspect and mostlikely invalid. Packets originating from upstream are preferablyeradicated. Valid downstream originating packets are then analyzed forthe content/nature of the packet. If the packet comprises a contentrequest, the request filter 606 can determine if the request can besatisfied by the edge cache 604. Preferably, the request filter 606maintains a table or database in memory or other storage medium of theedge cache 604 contents. If the packet contains a request that can besatisfied from the edge cache 604, the request filter 606 will hand thepacket/request off to the edge cache 604. The edge cache 604 operatessimilarly to the edge cache 508 of the above embodiment. If the packetcomprises a DNS translation request or a content request which cannot besatisfied by the edge cache 604, the request filter 606 hands thepacket/request off to the internal request transmitter/proxy server/DNStranslation server 610 to proxy, e.g. transmit, the request to theintended server or provide a DNS translation. The server 108 respondswith the requested content to the edge server 602 and/or edge cache 604which then returns the response to the requesting client 102, 104, 106,612 and/or caches the response. It is preferred that the request filter606 be able to perform its functions at “wire speed”, i.e. a speed atwhich will have minimal impact on network 100 bandwidth and throughput.The request filter 606 then further alleviates the processing load onthe internal DNS translator/proxy server 610 of the edge server 602.

It will be appreciated that, in any of the above embodiments, additionalupstream edge servers and edge caches can be provided at major peeringpoints to provide a layered hierarchy of cache storage tiers whichfurther enhances the response times. In addition, a hierarchy of edgeservers and edge caches can be used to handle any overload of one ormore downstream edge servers and edge caches or to handle spill over ofcapacity or even a complete failure of one or more edge servers or edgecaches. By forming a hierarchy of edge servers and edge caches, thenetwork 100 and service provider 118, 120 fault tolerance is increasedand enhanced.

The edge servers and edge caches therefore act similarly to proxyservers. However, where a forward proxy server alters the source addressof a given content request (effectively making that request on behalf ofa client), an edge server merely adds additional data to the sourceaddress which can then be used by upstream content delivery services formore accurate redirection or intercepts and substitutes the addresstranslation transactions to redirect a client to make its requests froma nearby edge cache. Therefore, there is no need to intercept contentrequests since those requests will have been already directed to theedge cache. While a reverse proxy server is typically tightly bound witha group of servers which belong to a single entity or comprise a singleWeb site, the edge server performs reverse proxy functions but for anyentity or Web site which subscribes to the service. Furthermore, nochanges are required to the client or the subscribing servers. Once thesubscriber tables are updated within the edge servers, the edge serverwill then start to perform its functions on the network traffic of thesubscribing Web server. The subscribing Web server does not need toalter their Web site in any way and the client does not need to bepre-programmed to communicate with the edge server.

Further the network of edge servers and edge caches located at everymajor network intersection so as to cover every POP, thereby minimizingthe size of the sub-network downstream from the edge server, forms asecurity barrier which isolates the core infrastructure and servers ofthe network/internet from the edge where the clients are located. Inaddition to isolation, network performance is enhanced by virtuallyplacing the content and services of core content providers atnetwork-logically and physically-geographic proximate locations withrespect to the clients. Content is placed as close as possible to therequesters of that content resulting in enhanced response times andenhanced throughput. This results in reduced load, congestion andbandwidth consumption of the expensive high capacity backbone linkswhich form the core of the network. Trivial network traffic ismaintained at the edge of the network speeding response times andthroughput. In addition, the edge caches are capable of communicatingwith one another and sharing cached data, thereby greatly enhancing thecaching effect and further reducing the load on the core of the network.

By further making the edge servers more intelligent, such as by addingadditional processing capacity, dynamic load balancing services can beprovided to the subscribing servers which can respond to changingdemands for content. The edge servers and edge caches are furtherlocated to minimize the number of downstream clients, thereby formingsub-networks which can isolate and contain network traffic. This allowssecurity services to be provided by isolating security threats to thesmallest possible portion of the network generally while leaving theremaining portions of the network fully operational. Further, would behackers are prevented from being able to directly access a subscribingserver an trying to break in and steal valuable data. Therefore, evenwhere a particular server has a security hole, the data stored therewill still be protected. In addition, the edge server is aware of itphysical/geographic location and its logical location within the networkhierarchy allowing it to enhance content redirection services as clientsgo wireless or otherwise go more mobile in relation to their serviceproviders. Finally, the provision of a decentralized DNS enhancementsystem, as provided by the presently preferred embodiments, reduces theload on the existing DNS system and on subscribing servers' internal DNSsystems as well as provides a distributed defense against DNS baseddenial of service attacks. Such attacks can be isolated to the smallestportion of the network possible and closest to the attacks source whilethe remaining portions of the network remain unaffected. Further, byisolating the attack, the source of the attack can be more easilypinpointed and investigated. Traffic can be monitored for unauthorizedor malicious program code, i.e. program code previously identified asunwanted, harmful or destructive, such as the placement of zombies orvirus programs. Such programs can be detected and eradicated before theycan make it to their intended destination.

In addition, the provision of the decentralized DNS enhancement system,as provided by the presently preferred embodiments, provides aninfrastructure which may be used to supplant the existing DNS system andallow the creation of new domain names and a new domain name allocationservice. New services such as a keyword based DNS system may also beprovided to further increase the ease of use of the network 100 andwhich do not rely on any modifications to a users Web browser program;i.e. remain transparent to both the client and the content provider. Auser's attempt to request content from a subscribing content providerusing a new domain name provided by this new DNS system would beintercepted prior to reaching the existing DNS system and be properlytranslated so as to direct the user to the content provider.Alternatively, the request may be redirected to an edge server and edgecache which proxy's the request for the user to the content provider.Such a system allows the content provider to remain a part of thenetwork 100, i.e. remain connected to the Internet and maintain theiraccess within the existing DNS system, or they may choose to completelydisconnect from the network 100 altogether and utilize proprietarycommunications links to the network of edge servers and edge caches toprovide users/clients with access to their content.

It will be further appreciated by one of ordinary skill in the art thatthe provision of numerous distributed edge servers and edge cachesencircling the core of the network 100 provides a secure decentralizedinfrastructure on which service applications can be built. Through theprovision of additional application and data processing capabilitieswithin the edge servers, service applications such as user applications(for example, content monitoring/filtering, advertising filtering,privacy management and network personalization), e-commerce applications(such as regional and local electronic store fronts, distributedshopping carts or advertising distribution), distributed processingapplications, database access applications (such as distributedenterprise database access), communications applications (such aselectronic mail, identity authentication/digital signatures, anti-spamfiltering and spam source detection, voice telephony and instantmessaging), search engine applications, multimedia distributionapplications (such as MP3 or MPEG distribution and content adaptation),push content applications (such as stock quotes, news or other dynamicdata distribution), network applications (such as on-demand/dynamicvirtual private networks and network/enterprise security), etc. can beimplemented. These applications can be implemented with minimal hardwareat the network 100 core 122 because much of the processing load andbandwidth demands are distributed out at the edge 124 of the network100. Further, any application where decentralization of the clientinterface from the back-end processing enhances the application can beapplied on a wide scale to the edge server infrastructure to reduce thecentralized demands on the service providers.

It is therefore intended that the foregoing detailed description beregarded as illustrative rather than limiting, and that it be understoodthat it is the following claims, including all equivalents, that areintended to define the spirit and scope of this invention.

We claim:
 1. An apparatus for facilitating communications between aclient and a server over a network, said apparatus comprising: a requestinterceptor coupled with said network, said network operative totransmit a plurality of translation requests including a firsttranslation request generated by said client, said first translationrequest comprising a first address identifying said server, said firsttranslation request being directed, by said client, to a first addresstranslator separate from said request interceptor, said first addresstranslator being coupled with said network and operative to, when saidfirst translation request is received, translate said first address intoa first translated address and to return said first translated addressto said client via said network thereby facilitating said communicationsbetween said client and said server, said request interceptor beingoperative to selectively intercept said first translation request fromamong said plurality of translation requests prior to receipt by saidfirst address translator and to translate said first address into asecond translated address and return said second translated address tosaid client via said network, said selective interception beingdetermined based on a criteria other than only that said firsttranslation request is one of said plurality of translation requests. 2.The apparatus of claim 1, wherein said network comprises the Internet.3. The apparatus of claim 1, wherein said client comprises a computer.4. The apparatus of claim 1, wherein said client comprises a privatenetwork.
 5. The apparatus of claim 4, wherein said private networkfurther comprises a private address translator operative to generatesaid first translation request.
 6. The apparatus of claim 1, whereinsaid first address comprises a domain name, and said first translatedaddress and said second translated address comprise internet protocoladdresses.
 7. The apparatus of claim 1, wherein said first addresscomprises a symbolic network address, and said first translated addressand said second translated address comprise physical network addresses.8. The apparatus of claim 7, wherein said first translated address isdifferent from said second translated address.
 9. The apparatus of claim7, wherein said first translated address is associated with said firstserver, and said second translated address is associated with a firstcache.
 10. The apparatus of claim 1, wherein said first address ischaracterized by being human comprehensible, and said first translatedaddress and said second translated address are characterized by beingcomputer readable.
 11. The apparatus of claim 1, wherein said secondtranslated address identifies a cache affiliated with said server andproximate to said client.
 12. The apparatus of claim 11, wherein saidapparatus further comprises said cache, said cache being coupled withsaid request interceptor.
 13. The apparatus of claim 11, wherein saidproximity comprises geographic proximity.
 14. The apparatus of claim 11,wherein said network further comprises a topology, said proximitycomprising logical proximity based on said topology.
 15. The apparatusof claim 1, wherein said request interceptor is coupled with a networkrouter.
 16. The apparatus of claim 1, wherein said request interceptoris coupled with a second address translator, said second addresstranslator operative to receive said selectively intercepted firsttranslation request from said request interceptor and translate saidfirst address into said second translated address.
 17. The apparatus ofclaim 1, further comprising a traffic monitor coupled with said network,wherein said network is further operative to transmit data between saidclient and said server, said traffic monitor operative to monitor saidtransmitted data.
 18. The apparatus of claim 17, wherein said trafficmonitor is further operative to detect malicious program code withinsaid transmitted data.
 19. The apparatus of claim 17, wherein saidtraffic monitor is further operative to detect unauthorized data withinsaid transmitted data.
 20. The apparatus of claim 17, wherein saidtraffic monitor is further operative to detect forged communicationswithin said transmitted data.
 21. A method of facilitatingcommunications over a network, said network comprising a server and atleast one sub-network coupled with said server, said at least onesub-network coupled with a first translator and a client, said methodcomprising: monitoring said at least one sub-network for a firsttranslation request of a plurality of translation requests, said firsttranslation request generated by said client and directed by said clientto said first translator, said first translation request comprising afirst address intended to be translated into a first translated addressby said first translator; intercepting, selectively by a device separatefrom said first translator, said first translation request from amongsaid plurality of translation requests prior to receipt by said firsttranslator and translation of said first address thereby, based on acriteria other than only that said first translation request is one ofsaid plurality of translation requests; translating, by said device,said first address of said intercepted first translation request into asecond translated address; and returning said second translated addressto said client.
 22. The method of claim 21, wherein said first addressis a domain name, said first translated address is a first internetprotocol address and said second translated address is a second internetprotocol address different from said first internet protocol address.23. The method of claim 21, wherein said second translated address isassociated with a cache affiliated with said server.
 24. The method ofclaim 23, wherein said translating further comprises determining saidsecond translated address to be an address associated with a proximatelyoptimal cache affiliated with said server relative to said client. 25.The method of claim 24, wherein said cache is geographically optimal.26. The method of claim 24, wherein said cache is proximately optimalbased on a topology of said network.
 27. The method of claim 21, whereinsaid translating comprises translating, by a second translator coupledwith said device, said first address of said intercepted firsttranslation request into a second translated address.
 28. An apparatusfor facilitating communications between a client and a first server anda second server over a network, said apparatus comprising: a requestinterceptor coupled with said network, said network operative totransmit a plurality of translation requests including a firsttranslation request and a second translation request generated by saidclient, said first translation request comprising a first addressidentifying said first server and said second translation requestcomprising a second address identifying said second server, said firsttranslation request and said second translation request being directedby said client to a first address translator separate from said requestinterceptor, said first address translator being coupled with saidnetwork and operative to, when said first translation request and saidsecond translation request are received, translate said first addressinto a first translated address and translate said second address into asecond translated address and to return said first translated addressand said second translated address to said client via said networkthereby facilitating said communications between said client and saidfirst server and said second server, said request interceptor beingoperative to selectively intercept said first translation request fromamong said plurality of translation requests prior to receipt by saidfirst address translator and to translate said first address into athird translated address and return said third translated address tosaid client via said network, said selective interception beingdetermined based on a criteria other than only that said firsttranslation request is one of said plurality of translation requests 29.The apparatus of claim 28, wherein said request interceptor is coupledwith a second address translator, said second address translatoroperative to receive said selectively intercepted first translationrequest from said request interceptor and translate said first addressinto said third translated address.
 30. The apparatus of claim 28,wherein said request interceptor is further operative to selectivelyintercept said second translation request from among said plurality oftranslation requests prior to receipt by said first address translator,said selective interception being determined based on said criteriaother than only that said second translation request is one of saidplurality of translation requests, and wherein the apparatus furthercomprises a request modifier coupled with said request interceptor andoperative to modify said second address to a modified address and arequest forwarder coupled with said request modifier and operative toforward said modified second translation request to said first addresstranslator.
 31. A method of facilitating communications over a network,said network comprising a first server and a second server and at leastone sub-network coupled with said first server and said second server,said at least one sub-network coupled with a translator and a client,said method comprising: monitoring said at least one sub-network for afirst translation request and a second translation request of aplurality of translation requests, said first translation request andsaid second translation request generated by said client and directed bysaid client to said translator, said first translation requestcomprising a first address intended to be translated into a firsttranslated address by said translator and said second translationrequest comprising a second address intended to be translated into asecond translated address by said translator; intercepting, selectivelyby a device separate from said translator, said first translationrequest from among said plurality of translation requests prior toreceipt by said translator based on a criteria other than only that saidfirst translation request is one of said plurality of translationrequests; translating said first address of said intercepted firsttranslation request into a third translated address; and returning saidthird translated address to said client.
 32. The method of claim 31,further comprising: intercepting, selectively by said device, saidsecond translation request from among said plurality of translationrequests prior to receipt by said translator based on said criteriaother than only that said second translation request is one of saidplurality of translation requests; modifying said second address of saidintercepted second translation request into a modified address; andforwarding said modified second translation request to said translator.